From: Jens Axboe <axboe@kernel.dk>
Date: Fri, 1 Dec 2017 02:50:34 +0000 (-0700)
Subject: client: fix use-after-free for client timeout
X-Git-Tag: fio-3.3~33
X-Git-Url: https://git.kernel.dk/?p=fio.git;a=commitdiff_plain;h=1d4845069e0ed59c852fb38f9d17db65ddacd73b

client: fix use-after-free for client timeout

We free the reply, but if it times out, we dereference it afterwards.
Store the opcode before calling into handle_cmd_timeout().

Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/client.c b/client.c
index 3b54bfdf..2b136a0f 100644
--- a/client.c
+++ b/client.c
@@ -1903,16 +1903,19 @@ static int client_check_cmd_timeout(struct fio_client *client,
 	int ret = 0;
 
 	flist_for_each_safe(entry, tmp, &client->cmd_list) {
+		unsigned int op;
+
 		reply = flist_entry(entry, struct fio_net_cmd_reply, list);
 
 		if (mtime_since(&reply->ts, now) < FIO_NET_CLIENT_TIMEOUT)
 			continue;
 
+		op = reply->opcode;
 		if (!handle_cmd_timeout(client, reply))
 			continue;
 
 		log_err("fio: client %s, timeout on cmd %s\n", client->hostname,
-						fio_server_op(reply->opcode));
+						fio_server_op(op));
 		ret = 1;
 	}